Tier 3: Repeatable

Purpose: Systems for monitoring and ensuring enhanced security of Active Directory services:

agentless scheme of work, without changing AD settings, there is both On-Prem and SaaS deployment options
a large and constantly updated database of attack patterns and dangerous configurations
constant monitoring of AD security status, change tracking, establishing trust relationships, etc
data collection and analysis based on authentication protocols (Kerberos, DNS, RPC, NTLM, etc.)
correlation of disparate events/changes to detect complex targeted ART attacks (Pass-the-Ticket, Pass-the-Hash, Overpass-the-Hash, Golden ticket, etc.)

Purpose: Deep analysis of network traffic:

use of Deep Packet Inspection / Deep Session Inspection technologies and/or NetFlow / IPFIX protocols
detection of network anomalies that may indicate the beginning of a “zero-day” attack
detection of attempts to exfiltrate data from corp. network, which may indicate insider activity
long-term storage of a log of recorded network sessions for retrospective analysis and incident investigation
integration with NAC class solutions to simplify monitoring of compliance with network security policies and segmentation
integration with the Cyber Deception System and EDR to speed up response and increase the complexity of incident analysis

Purpose: Monitoring, auditing and access control to information processed in the database

analysis of user / process activity, verification of requests to the DBMS, blocking of obvious threats (for example, SQL injections) and potentially dangerous / atypical requests to the DB
creating policies for creating and blocking records in the database
protection, management and control of access to privileged accounts
management of user and application privileges on end devices

Purpose: Profile protection of WEB applications:

inspection of all web page content including HTML, DHTML, CSS and HTTP/HTTPS content delivery protocols
blocking abnormal requests to the web application, protection against XSS attacks and SQL injections
implementation of multifactor authentication in the web application by means of the WAF itself
control over delimitation of access rights for web application users
SSL termination (reducing the load on the web server)
load balancing on web servers

Purpose: Centralized management of mobile devices:

integration into the corporate environment of any devices running on any platforms (including personal ones, according to the BYOD concept)
providing secure access to corporate resources from mobile devices (“containers” with data and applications, forced shutdown of the camera, Bluetooth, modem during work, etc.)
user identification management based on unified corporate policies
audit, monitoring and control of compliance of devices and applications with corporate policies

Purpose: Prevention of data leakage:

continuous monitoring of web and e-mail channels mail (when integrated with SWG, SEG), file repositories, workstations, databases, export to removable media, etc.
blocking attempts of unauthorized access to confidential information
prevention of unauthorized export of data through any channels, including printing
detection of attempts at disguised exfiltration of confidential data – image recognition, control of digital prints

Purpose: Centralized collection, long-term storage and analysis of event logs (the basic tool of the corporate Security Operation Center):

support for collecting logs from all possible sources in the corporate network (network screens and other network equipment)
long-term storage of logs in an unchanged state (Compliance task)
analysis of collected information according to defined criteria and scenarios, detection of deviations from the norm, cyber security incidents and suspicious activity
implementation and automation of incident management processes (incident – notification – response – analysis – improvement)